CVE-2025-55285

Published: Aug 15, 2025

Modified: Aug 15, 2025

PUBLISHED

CVSS v3.1

2.6

LOW

Description

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.

Vendor	Product	Versions
backstage	backstage	affected `< 2.1.1`

Weaknesses (CWE)

CWE-532

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7

x_refsource_CONFIRM

https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-55285

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References